Batman can’t help you with this “Joker.” A bad batch of Android apps briefly available in the Google Play store amassed hundreds of thousands of downloads — and they reportedly carry a malware code dubbed as “Joker”, designed to sign you up for subscription-based services without user knowledge. This new Android malware may be the most twisted yet. Joker’s purpose, once deployed, is to sign up its victims to subscription services without their knowledge or consent. This new malware was first detected by CSIS Security Group malware analyst Aleksejs Kuprins, who has been monitoring the malicious code and penned a detailed analysis of Joker.
Though the apps have been removed from the Play Store, those who still have these on their devices are recommended to delete as soon as possible. But what is Joker malware, how many apps has it affected and in which countries? We take a look at everything to know about Joker malware.
What is Joker malware and what does it do?
Joker Trojan steals money from a user’s account by signing them up for premium subscriptions. It starts by silently simulating interaction with an advertisement without the user knowing and then even steals the victim’s SMS messages, which might contain OTP to authenticate payments. Once it infects a phone or tablet through one of the host apps, it steals the device’s contact list and SMS text messages – scary stuff, but fairly commonplace in the murky world of malware.
It doesn’t stop there, though. What makes the Joker a particularly deranged piece of malware is that it also manages to simulate interactions with websites, with the end result of signing up to a paid service – with the victim left to foot the bill. So essentially, a user might not even know that they have been signed up for a subscription service and the money is being deducted from their account unless maybe they check their credit card statements, etc regularly.
“This strategy works by automating the necessary interaction with the premium offer’s webpage, entering the operator’s offer code, then waiting for an SMS message with a confirmation code and extracting it using regular expressions. Finally, the Joker submits the extracted code to the offer’s webpage, in order to authorize the premium subscription,” report says
Joker Malware: Which Apps Are Affected & In Which Countries?
In total, the 24 affected Android apps have racked up over 472,000 total downloads on the Google Play Store – a sizeable enough number that it’s definitely worth Android users double-checking their credit card statement to ensure the Joker isn’t laughing at their expense. The list includes:
- Advocate Wallpaper
- • Age Face
- • Altar Message
- • Antivirus Security- Security Scan
- • Beach Camera
- • Board Picture Editing
- • Certain Wallpaper
- • Climate SMS
- • Collate Face Scanner
- • Cute Camera
- • Dazzle Wallpaper
- • Declare Wallpaper
- • Display Camera
- • Great VPN
- • Humor Camera
- • Ignite Clean
- • Leaf Face Scanner
- • Mini Camera
- • Print Plant Scan
- • Rapid Face Scanner
- • Reward Clean
- • Ruddy SMS
- • Soby Camera
- • Spark Wallpaper
The Joker malware has targeted a total of 37 countries with a majority in Asia and the EU. In addition to India, the list includes Australia, Austria, Belgium, Brazil, China, Cyprus, Egypt, France, Germany, Ghana, Greece, Honduras, Indonesia, Ireland, Italy, Kuwait, Malaysia, Myanmar, Netherlands, Norway, Poland, Portugal, Qatar, Republic of Argentina, Serbia, Singapore, Slovenia, Spain, Sweden, Switzerland, Thailand, Turkey, Ukraine, United Arab Emirates, United Kingdom and United States.
Joker Malware: How To Fix It?
Whilst there are no big names in the list, nearly half a million downloads suggest that a fair few people have been hit by the Joker malware. If any of the apps above sound familiar, you’ll want to trawl through your bank and credit card statements looking for suspicious charges. There is a good chance that the services the malware has signed up a user for will not appear in their Play Store subscriptions. So, to find that out, one will need to carefully sift through their bank account, credit card statement. The Joker malware is understood to have started its reign of auto-subscription terror in June, so that’s the date to start from.
If you’re particularly alarmed or have discovered you’ve already fallen victim to the attack, you may also want to consider how you store your credit card information on your phone or tablet. While the Joker is one of the more sophisticated malware viruses we’ve seen, it will only have been able to extract a payment from you if you had your details fully stored on your device. Lastly, attacks like the Joker highlight the value of investing in a quality mobile security solution.
Joker Malware Steals Contact List So Inform Friends, Maybe?
The CSIS Security Group blog post has revealed that Joker malware can also potentially steal a user’s device information as well as contact list so it is recommended that those infected call their friends to let them know about the Trojan.
“The final important thing worth mentioning about the Joker is the phone book contact list theft. The core component collects all numbers in the contact list and sends them over to the C&C in an encrypted form,” the post added.
According to the report, the current iteration of the Joker malware campaign appears to go back as far as June of this year. Kuprins notes that Google removed the apps before his security firm reached out to the company, so it appears that the tech giant has been monitoring the situation as well.
Malware has long been a problem plaguing Android devices. Facebook has even gone so far as to file a lawsuit last month against one developer, whose malware-ridden Android app engaged in click fraud on the social media company’s ad network. While other recent Android-targeted malware campaigns have had a broader reach, such as “Agent Smith,” which has infected 25 million devices, Joker’s automated subscription attack certainly makes it among the more interesting.
